[Extra] Advanced ("Modern & Secure") Email Authentication
Michael Slusarz <michael.slusarz@open-xchange.com> Thu, 26 August 2021 06:47 UTC
Return-Path: <michael.slusarz@open-xchange.com>
X-Original-To: extra@ietfa.amsl.com
Delivered-To: extra@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id E972D3A0E8A
for <extra@ietfa.amsl.com>; Wed, 25 Aug 2021 23:47:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id NUx2LdE7ecaw for <extra@ietfa.amsl.com>;
Wed, 25 Aug 2021 23:47:19 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 27B4A3A0E84
for <extra@ietf.org>; Wed, 25 Aug 2021 23:47:18 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [10.20.28.82])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mx3.open-xchange.com (Postfix) with ESMTPSA id 0D7B76A0DF;
Thu, 26 Aug 2021 08:47:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com;
s=201705; t=1629960435;
bh=f9tGKok0eQ2lhRiRj0lECrWeszf9WjAtbQhK5urkkng=;
h=Date:From:To:Subject:From;
b=8tI+5VRBx68fb43b4g2KiXHkxb03RLU6WRMd+NPMmdmQKdDKqnVYIAjRLS6s9k21f
Zg+/2CE3xwpsWBjVYAp62IirWLx28llVy1/vfj96sppu/7ie8tZNNdSniBS6t4G8lc
7SRGWDrXcrqQ2DxnDofM0yJv+yger6By2aVjXTT6GNpO+iOXhT5eZwOwvutwO9FWpT
f2h9M9q/3eqRLKjvRwzQOxZyKq9Yk6eZgoLiIcR7bH5vp7IX/kw5VH5WwjcaKrKiEI
7ojc1WMYgG6sNCdF9M9MjItlzVSduo8MNcjs0Z8MZIJ/LAH5c8Y9nwt+j6X1WP0i42
ULIFi5kmj6g8w==
Received: from appsuite-gw2.open-xchange.com ([10.20.28.82])
by imap.open-xchange.com with ESMTPSA id 2LfVAvM4J2EhHgAA3c6Kzw
(envelope-from <michael.slusarz@open-xchange.com>);
Thu, 26 Aug 2021 08:47:15 +0200
Date: Thu, 26 Aug 2021 00:47:14 -0600 (MDT)
From: Michael Slusarz <michael.slusarz@open-xchange.com>
To: "extra@ietf.org" <extra@ietf.org>
Message-ID: <1898235280.14467.1629960434945@appsuite.open-xchange.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_14466_1753459993.1629960434940"
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.5-Rev21
X-Originating-Client: open-xchange-appsuite
Archived-At: <https://mailarchive.ietf.org/arch/msg/extra/E1v2gogWD5-by95oYR6qPJ1FVxE>
Subject: [Extra] Advanced ("Modern & Secure") Email Authentication
X-BeenThere: extra@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email mailstore and eXtensions To Revise or Amend <extra.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/extra>,
<mailto:extra-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/extra/>
List-Post: <mailto:extra@ietf.org>
List-Help: <mailto:extra-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/extra>,
<mailto:extra-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2021 06:47:25 -0000
Hello all, First, let me echo Bron and say congratulations and thank you to everyone that helped IMAP4rev2 become reality, especially Alexey and Barry as editors! You have all created a substantial additional amount of work for me in coordinating efforts to ensure compliance with the new standard :) Onto my main topic: I am looking for input regarding the proper forum to raise an initiative we are currently working on. Very short background: within the last year, many of our largest customers have come to us asking what can be done about making authentication for email services more "modern and secure". Specifically it is driven by the desire to stop using the legacy username/password paradigm to authenticate to core email backend services, but more abstractly the problem can be framed as a more general desire that "email services should do authentication like current mobile/web apps do". (JMAP implements advanced auth, but our customers require support for the legacy mail protocols.) Our initial focus was on figuring out the best way to better support "modern & secure authentication" - which we took as a mandate to spread universal availability and adoption of delegated authentication and all the benefits it provides. Yes, this kind of exists today in some clients for a very small subset of providers (Gmail, Yahoo, etc.) - but the proper general solution cannot be hard-coded authentication endpoints in select clients for select email providers. There needs to be access to a universal standard, or at least a best practice, that allows any mail installation to enable advanced authentication and then have immediate client access to this improve functionality. And if we are going to spend time and energy trying to convince the ecosystem to support this, we might as well rethink the entire user email authentication experience at the same time. Wouldn't it be great if (best case) a user installs a client, enters just an e-mail address, and the client does all the auto-configuration necessary behind the scenes to connect to the proper server and display the user the "login page" for their account, which would allow any kind of fancy modern security desired (2FA, etc.)? We believe all of the necessary standards already exist to accomplish this today. We believe it is just a matter of educating developers/admins on how to consistently implement this goal. The goal is to educate on the interplay between already existing standards like Email SRV records (RFC 6186), OAUTH/OpenID autodiscovery in SASL (RFC 7628), and expected authentication flows in the various email protocols (IMAP, POP3, Submission, ManageSieve) that would enable client authors, server authors, and administrators to provide the necessary infrastructure to enable widespread adoption. This feels like an Informational document, not a Standards Track document, as the intent is to provide a best practices way to use and link multiple concepts rather than inventing new functionality. The question I ask today is: what is the proper WG to take discussion on this idea? I bring the idea to extra as this is an e-mail centric WG and there is specific overlap in this proposal with several of the email protocols addressed by this WG (IMAP, ManageSieve). But, admittedly, Submission and POP3 are currently out of scope here, and this proposal also touches on areas like DNS, OAUTH/OpenID Connect, and SASL. I did consider taking this to direct to dispatch, but wanted to get input from the email community first, with the thought that if anybody else here is interested in the same problems that they should feel free to join us in pushing this forward :) Thanks, and looking forward to any/all feedback. michael
- [Extra] Advanced ("Modern & Secure") Email Authen… Michael Slusarz
- Re: [Extra] Advanced ("Modern & Secure") Email Au… Michael Peddemors
- Re: [Extra] Advanced ("Modern & Secure") Email Au… Steffen Nurpmeso